Creating a Cluster Policy

Create Policy enables the Infosec teams / PKI administrators to create, define, and enforce policies for one more cluster managed in the inventory.
Note: The certificate automations (creation, renewal, etc.) initiated from a specific cluster must adhere to the policy parameters outlined in this policy inventory. Any cluster that is not a part of or does not align with the Cluster Policy will be denied certificate automations.

Why is Cluster Policy Essential?

Cluster Policy is your toolbox of rules and guidelines that you set up to manage the safe issuance of SSL/TLS certificates within your Kubernetes cluster. AppViewX offers various ways to ensure that these policies are followed when certificates are issued.

  • CA Setting [Namespace Specific Policy Enforcement] - A Setting policy types are used to configure a dedicated CA and manage how certificates are issued within a namespace. This gives application teams working in a specific namespace access to their dedicated CA to request certificates for their unique domains.

  • CA Setting Cluster [Cluster wide Policy Enforcement] - The CA Setting Cluster policy type is applied when application teams deploy workloads across the entire cluster. This policy type, regardless of where the applications are located, manages certificate issuance and CA configuration. It ensures seamless issuance of certificates from the enforced Certificate Authority and defined Policy, maintaining cluster-wide security and consistency.

  • Cluster Policy also helps define in which namespace certificate discovery needs to be disabled. For example, users can define a regex like `kube-*` to prevent certificate discovery from any namespaces starting with `kube`, like `kube-system`.

Prerequisites:

To create a cluster policy:

  1. Go to menu > KUBE+ > GROUPS & POLICIES > Cluster Policy
    On the Cluster Policy page, the created policies are displayed, if any.
  2. Click .
  3. Enter/select the policy information.
    Table 1. Policy Information - Field and Description Table
    Field Description
    Policy Name* Enter a unique policy name to be associated with one or more clusters.
    Type* Select a type from the dropdown list. The options are:

    • CA Settings Cluster - Cluster wide global policy.

    • CA Setting - Policy to be applied for a specific namespace or a project within a cluster.
    Certificate Group* Select a certificate group from the dropdown list.
    Associate CA Policy* The CA Policy associated with the selected certificate group will be automatically populated in the dropdown. Please select the appropriate policy from this list.
    Certificate Authority Select a Certificate Authority from the dropdown list.
    CA Settings Select the CA Settings from the dropdown list.
    Namespace Exclusion

    Upon entering the namespace name or regex, and pressing Enter, the namespaces are added to the exclusion list and will be omitted from certificate discovery. The Server Certificate inventory will not display certificates from excluded namespaces.
    *: Mandatory fields
  4. Click Add.
Related Information